Third Party Security Assurance has made a pretty poor name for itself. This is due to many organisations paying lip-service to the requirement and not implementing it properly. Many organisations view Third Party Security Assurance as the need to send your supplier a questionnaire with some security questions on it,

The ISO 27701 standard makes some additional control recommendations that are supposed to supplement ISO 27002 controls guidance. The ISO 27701 is clearly intended to be a generic Privacy controls framework. How do the controls stack up to the requirements of the GDPR? The GDPR is actually quite prescriptive in

This is Part 3 of a series on Understanding ISO 27001. The other parts can be found here. Risk Management is a delicate topic as it tends to draw the perfectionists out of the woodwork. Clause 6 of ISO 27001 wants you to implement a risk assessment process and a

This post will pick up from clause 5. All the other parts of this series can be found here. Clause 5 is titled Leadership. This is a bit of a red herring. It really should have been called Governance. What clause 5 is trying to ensure, is that senior management

The ISO 27001 Standard is written using a standardised ISO glossary of terms. These apply across the whole breadth of ISO Standards, so if you are implementing multiple standards, you can quickly understand what is required and get on with it. Unfortunately, if this is your first exposure to ISO

Part 5 of the series picks up from A.10 Cryptography. Click here to see the other posts in this series. Cryptographic Controls The ISO 27701 Standard points out that some jurisdictions require encryption to be used on some forms of PII data. It then provided additional guidance that data subjects

As per a previous post, it looks like ransomware is now the easiest way of making money on the Internet, for anyone that thinks they can get away with breaking the law. I’m going to take a different view of this news, and concentrate on why this makes sense as

Part 4 of a series on implementing ISO 27701 as a way to gain Privacy Certification. Click here for the rest of the series. Human Resource Security The ISO 27701 standard chooses not to add any additional guidance to this set of clauses with the exception of training and awareness.

Part 3 of the series looks at the applicable controls in ISO 27002 and the impact of Privacy on them. Click here to see the rest of the series. Policies The additional implementation guidance within ISO 27701 on this is slightly confused. In ISO 27002 under A.5.1.1, it is a